5 Replies Latest reply on Feb 11, 2016 7:10 AM by pcraveiro

    Integration with JAAS


      Hi everyone,


      I have applications running in Wildfly 8.2.0, and they're already counting on some "custom login modules" (extended from picketbox's core classes) for authentication and authorization. Since I'm new at picketlink, I was wondering if it was possible to make Picketlink delegate its auth logic to these login modules, out of the box. Specially since I've read some of the docs and the APIs, and I haven't seen any "JAASIdentityStore", only JPA, LDAP and JDBC.


      Going straight to the point, all my apps have a jboss-web.xml file pointing to the corresponding security domain configured in JBoss. Does Picketlink support a security domain configured inside jboss-web.xml?



        • 1. Re: Integration with JAAS

          Hey Rodrigo,


          No, there is no JAAS integration. You are not the first one asking that though


          I can not tell you when or if we are going to support that in the future.



          • 2. Re: Integration with JAAS

            Pedrão, nice to see you here


            Well, that's too bad for me. I'm gonna have to work something out. I take it it's not completely impossible to implement an identity store for that purpose, is it? (which of course I'll have to do it myself)


            As a side note, it seems fair to say that JAAS is being abandoned for good. Apache Shiro also doesn't support it.



            • 3. Re: Integration with JAAS

              @rodrigo.uchoa Your use case sounds highly similar to mine. PL Use Case: WildFly SSO with Picketlink IDM

              I gave an attempt to making a custom LoginModule and Picketlink work together, but failed. I hoped it was just lack of knowledge of the Picketlink internal workings, but I fear its just a limitation that exist, because each Web Application runs its own instance of PL and they are not self aware of each other. Because I needed this for a work project I had to move forward, currently I still can't even use PL, Iv had to put together rocks and sticks to make my own lightweight solution just to met the project needs, aka all I have is a worthless permissions table with several IFs and method invocation interceptors. Which means I lost the robust security layer I wanted from PL. Sadly I can not get the project manager to accept that we shouldn't several WAR files at this stage of the solution, so I cant use PL because they can not share authentication status.

              Picketlink doesn't need to support a LoginModule or any part of JaaS for that matter. But rather it needs some sort of concept of SSO other than SMAL. I hate to say, I have little to offer in this subject, PL is a large project with multiple modules. PL isn't directly an implementation of JSRs, only insider knowledge can produce a solution in a timely manor.

              • 4. Re: Integration with JAAS

                Hi Pedro,

                You said that there's no JAAS integration in Picketlink. However, it seems that there is one in Picketbox and Picketlink builds on Picketbox foundation as per this article.
                I'm currently using JAAS in my application to enable authentication and authorization on Wildfly with Picketbox DatabaseServerLoginModule. I've seen that Picketlink provides OAUTH2 client facilities, and I'd like to do a LoginModule to enable JAAS with OAUTH2 in my application.

                Does it make sense for Picketlink project?

                • 5. Re: Integration with JAAS

                  Hi Rémi,


                       I'm not sure which PicketLink OAuth2 facilities you are referring to, but in any case there is no integration between PicketLink JEE or IdM and JAAS. To enable OAuth2 to your application, or even OpenID Connect, please take a look at the Keycloak project.


                  Best regards.

                  Pedro Igor